Pseudo Ransomware Doesn’t Make Headlines
Wipers are really only used in specific and targeted campaigns, Warner said.
“One of the earliest publicly known attacks was against Iranian oil companies and other targets in the Middle East in 2012,” he said. “This was attributed back to the now infamous Equation Group, which themselves were hacked in 2016, which resulted in the WannaCry ransomware and NotPetya wiperware attack through the EternalBlue exploit. Additionally, there were multiple uses of wipers in attacks against Saudi Arabian targets in 2012 and 2016 using Rawdisk, a commercially available tool, which was also used by North Korea’s Lazarus Group in attacks against South Korea and Sony for their release of the movie ‘The Interview.'”
The main reason these pseudo ransomware/wiper attacks are not generally publicized is because they are largely geopolitical in focus, Warner said. These are governments attempting to impact infrastructure or nationalized institutions within another entity that is identified as the target.
“Hacking against commercial targets that are not nationalized is usually done to extract data or access, which will result in profits for the attacker,” he said. “This is often done in large campaigns, such as the 2021 Kaseya ransomware attack, where access was leveraged into a wide ransomware attack against a large number of organizations. When the attacker is wiping a machine, there is only one goal in mind: to make it as difficult as possible to recover data from the infected machines. The biggest change since NotPetya has been the masquerading as ransomware, which results in a slowdown of investigation to determine if data can indeed be recovered when it is actually deleted.”
